I just spent a long time diagnosing why I couldn't get a public key ssh login to work. It eventually transpired that ssh doesn't allow one to have group write permission on one's home diectory.
That's *not* the permission on the .ssh directory, it's the permission on the one above that.
A quick Google search confirms that this is the case, ssh refuses to do public key authentication if the user's home directory has group write permission on it.
I can't see any way to disable this (turning StrictModes off seems to disable too much) and I don't really understand the reason for it either.
I only want group write set on one particular user, can anyone suggest a way to allow ssh public-key login to that user?
On 23 Jun 2011, at 17:06, Chris G wrote:
I don't really understand the reason for it either.
The reason is that if someone else in your group has write permission to your $HOME, they can create a new .ssh directory, and replace yours with it, and then trick you to get into the wrong hosts, or as the wrong user, or divulge your password, or expose your keys. Or they could mess with say your .bashrc.
On systems where you have per-user-groups (ie have the group name as your user name), that's not a problem, because there are no others in your group. On others systems, where your group may be for example "staff", that is a problem.
I only want group write set on one particular user, can anyone suggest a way to allow ssh public-key login to that user?
I'm not quite sure what you're asking here.
Can't you just remove group writability on the directory?
-- Martijn
On Thu, Jun 23, 2011 at 06:00:11PM +0100, Martijn Koster wrote:
On 23 Jun 2011, at 17:06, Chris G wrote:
I don't really understand the reason for it either.
The reason is that if someone else in your group has write permission to your $HOME, they can create a new .ssh directory, and replace yours with it, and then trick you to get into the wrong hosts, or as the wrong user, or divulge your password, or expose your keys. Or they could mess with say your .bashrc.
On systems where you have per-user-groups (ie have the group name as your user name), that's not a problem, because there are no others in your group. On others systems, where your group may be for example "staff", that is a problem.
OK, so there is a risk on multi-user systems, I want to do this on a non multi-user system.
I only want group write set on one particular user, can anyone suggest a way to allow ssh public-key login to that user?
I'm not quite sure what you're asking here.
Can't you just remove group writability on the directory?
No, because I want to actually *use* the ability for two users (well, two different versions of me) to write to a single directory hierachy.
On Thu, 23 Jun 2011 17:06:32 +0100, Chris G wrote:
I just spent a long time diagnosing why I couldn't get a public key ssh login to work. It eventually transpired that ssh doesn't allow one to have group write permission on one's home diectory.
That's *not* the permission on the .ssh directory, it's the permission on the one above that.
A quick Google search confirms that this is the case, ssh refuses to do public key authentication if the user's home directory has group write permission on it.
With write permissions on the parent directory, you could conceivably change the permissions on .ssh - I believe its this behaviour that sshd is trying to avoid
I can't see any way to disable this (turning StrictModes off seems to disable too much) and I don't really understand the reason for it either.
I only want group write set on one particular user, can anyone suggest a way to allow ssh public-key login to that user?
I get around this by changing the authorized_keys location and placing the accepted keys in /etc/ssh/authorized_keys/%u by adding the following in sshd_config - I place it along with the "PubkeyAuthentication Yes" line for my own sanity:
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
HTH,
Jim
On Thu, Jun 23, 2011 at 06:53:05PM +0100, Jim Rippon wrote:
On Thu, 23 Jun 2011 17:06:32 +0100, Chris G wrote:
I just spent a long time diagnosing why I couldn't get a public key ssh login to work. It eventually transpired that ssh doesn't allow one to have group write permission on one's home diectory.
That's *not* the permission on the .ssh directory, it's the permission on the one above that.
A quick Google search confirms that this is the case, ssh refuses to do public key authentication if the user's home directory has group write permission on it.
With write permissions on the parent directory, you could conceivably change the permissions on .ssh - I believe its this behaviour that sshd is trying to avoid
I can't see any way to disable this (turning StrictModes off seems to disable too much) and I don't really understand the reason for it either.
I only want group write set on one particular user, can anyone suggest a way to allow ssh public-key login to that user?
I get around this by changing the authorized_keys location and placing the accepted keys in /etc/ssh/authorized_keys/%u by adding the following in sshd_config - I place it along with the "PubkeyAuthentication Yes" line for my own sanity:
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
Thanks, that seems like a reasonable way to go.
-
Chris G -
Jim Rippon -
Martijn Koster